Contact us at |
  • SSL and TLS

SSL and TLS: which one should I choose?

Friday, November 25th, 2016

If you know about SSL, you probably encountered the “TLS” term as well. SSL and TLS are used as synonyms sometimes because they are related technologies. We can actually think about TLS as an upgraded version of SSL. Both of these Security Layers encrypt information, but just like any other technology, they evolved in time and they differentiate in certain ways from one another.

What do SSL and TLS have in common? Both, Security Socket Layer and Transport Security Layer are protocols used to secure data transfer between the user’s browser and the web server. Both of them encrypt the data using private and public keys. However, TLS uses different cryptographic algorithms to generate keys for the MAC function. TSL blocks exploitation methods and includes more alert codes than SSL. These elements make TLS Certificates more secure than SSL Certificates.

SSL 2.0

In 1995, Netscape designed the first version of SSL, called SSL 2.0. Soon, some vulnerabilities have been found, and SSL 3.0 was released a year later. SSL 3.0 was used until the Fall of 2014 when Google’s security team discovered a major security loophole in SSL 3.0.

From SSL to TLS

In 1999, TLS 1.0 was designed as another protocol for SSL. Although the differences were not essential, experts stated that SSL 3.0 was less secure than TLS 1.0.

In 2006, TLS 1.1 was released. The next version followed in 2008. TLS 1.2 is the current version, which everybody uses until today. As of March 2016, TLS 1.3 is in the draft, and it was not released yet.

SSL Vulnerabilities and POODLE

In 2014, a team of security specialists employed by Google found a major issue in SSL, and called it “POODLE”. This became an important reason for everybody to transition from SSL to TLS.

In a nutshell, POODLE takes advantage of SSL 3.0 fallbacks. The attackers ”abuse” the SSL and use it to decrypt parts of the content. Doing a significant number of attacks, some parts of the connection between the client and the server are revealed, and the attacker can get access to information. Any system that supports SSL 3.0 can be attacked using the POODLE method.

In 2002, much before the POODLE vulnerability was discovered, other loopholes such as BREAST or BREACH were found. It was only in 2011 when they were practically demonstrated. Microsoft, Apple, and other browser companies worked together to solve this problem.

What is the real difference?

As time passed, the security issues with SSL led to the creation of a better solution – the TLS. There are improvements in every new version but the end product is the same for the user. More than that, so as the “SSL” name was much more popular than “TLS”, all the SSL Certificates that are there on the market today, are actually TLS Certificates, but they inherited the much more popular name of its predecessor – SSL Certificates.

SSL an TLS do the same thing – they encrypt information transfer on the web. TLS is just a more secure and an upgraded version of the SSL. TLS became so popular that the old SSL protocol is no longer being offered and in use. Anyway, in order to prevent the public from getting confused and asking themselves what is “TLS” and what is the difference between “TLS” and “SSL”, the certificate authorities named the “TLS” as “SSL”. We all buy SSL Certificates nowadays, though they are actually TLS Certificates.

SSL Dragon offers only TLS certificates, though you can only find them under the name of “SSL Certificates”. You can install both SSL and TLS on a server nowadays, However, taking into account all the vulnerabilities, it is risky and unwise to install older versions of SSL and TLS. Also, we recommend disabling any older versions of SSL and TLS Certificates that you may have on your servers and get the newest, most cost-effective and highly secure SSL Certificates that we have for sale on our website today.

You can find the list with all our SSL Certificates here.